The present invention relates generally to the field of programmable logic and specifically to a method of securing configuration data for programmable logic.
The use of Programmable Logic Devices (PLD) in modern digital electronics is well known and widely practiced. PLDs are a class of general-purpose integrated circuit devices that can be configured for a wide variety of functions and applications. In general, PLDs comprise an array of logic elements and variable interconnection paths between the logic elements and the chip I/O. At least the interconnections, and in more complex PLDs the logic blocks and I/O pins as well, are programmable, allowing a system designer to implement a broad array of functions ranging from a collection of glue logic to complex state machines that perform high-order functions. The set of information that defines the programmed logic blocks and/or programmed interconnections is referred to herein as “configuration data.”
The mating of configuration data and PLDs to create design-specific integrated circuit devices may occur at various times and in various manners, according to the type of PLD and the technology it employs. For example, Programmable Array Logic (PAL) devices, which typically comprise a sea of AND gates feeding a fixed OR array, are typically programmed via EEPROM fuse technology at manufacture or integration, and are fielded as design-specific, programmed chips. Field Programmable Gate Arrays (FPGA) are generally more complex devices, often comprising an array of programmable logic blocks, wherein the blocks are interconnected via a programmable interconnect. FPGA logic blocks are often implemented as Look-Up Tables (LUT), and configuration data is typically stored in volatile memory. The configuration of such devices into design-specific chips is thus “soft,” or ephemeral, and does not reflect a permanent alteration of physical structures within the chip. In other words, the configuration data does not survive the loss of power, and must be re-loaded into the FPGA upon each power-up. Additionally, it is known to re-configure some or all of an FPGA's circuits occasionally or periodically.
A new class of programmable logic, referred to herein as Virtual Hardware Architecture (VHA) is described by Schmit et al. in “PipeRench: A Reconfigurable Architecture and Compiler,” IEEE Computer, pages 70-76 (April 2000), incorporated herein in its entirety. In a VHA device, a plurality of Processing Elements containing programmable logic and register arrays, are arranged in a plurality of horizontal rows or “stripes,” with programmable interconnection between the stripes. Efficient, complex Streaming Data Processors (SDP) may be constructed by configuring each stripe as a pipeline stage in a pipelined computational operation. The stripes and interconnect are dynamically reconfigured as necessary, in an ongoing fashion, to implement the pipelined operations.
A well-recognized problem with FPGAs, that is also present with VHAs, is that configuration data must be transferred, or downloaded, to the programmable logic device, at least as often as every power-up. Since the configuration data often embodies the intellectual property that represents the value added to the system, a significant danger is that the configuration data may be copied and used to configure PLD's in unauthorized or “bootleg” systems, without compensating the system designer. A number of solutions to this problem have been developed in the art.
For example, it is known to co-locate a memory containing the configuration data to be downloaded, and the PLD requiring the configuration data, on a Multi-Chip Module (MCM), wherein the data transfer bus interconnecting the two is inaccessible from the external pins of the MCM. This solution is costly, and precludes the economies of scale available by using system memory to store configuration data as well as perform other system functions.
Cryptography has been widely utilized to protect PLD intellectual property, by encrypting the configuration data, and providing dedicated decrypting circuits within the PLO. The encrypted configuration data may be freely distributed, as it is useless without a specific decryption key. Several models exist for the distribution of the decryption key to the PLD. In one model, decryption key may be distributed separately from the encrypted configuration data. While this approach is sufficient to defeat the casual or unsophisticated copier, both the encrypted configuration data and the decryption key reside within the software of the system in the field. By reverse-engineering the operating system and the various application modules therein, a dedicated and sophisticated copier may uncover the decryption key, decrypt the encrypted configuration data, and thereby unlock the system designer's intellectual property.
A second, more secure, method of decryption key distribution is to encode the decryption key into the PLD at manufacture, or at least prior to deploying the system in the field. For example, the key may be encoded in the mask works for the PLD; encoded after manufacture by conventional PLD programming, such as blowing fuses; written to non-volatile write-only memory; or the like. While this greatly enhances security, it dramatically increases the cost of the PLO, and hence the system, since each PLD for a particular system must be separately configured, and subsequently tracked as a customized part. Various other key distribution methodologies, such as third-party key management, introduce additional inefficiencies and increase costs.